Thanks Joel!
On Thu, Apr 17, 2014 at 11:13 AM, Joel Esler (jesler) <jesler at ...589...>wrote:
> On Apr 17, 2014, at 12:44 PM, Jeremy Hoel <jthoel at ...11827...> wrote:
>> Last night we started getting a good number of these. We are VRT
> subscribers and pull rule updates every few hours looking at PP logs it
> seems this rule hasn't changed in a good long while. The clients that are
> triggering this rule are not XP machines (Windows 7, patched current). the
> servers it's hitting against are all windows 2008/2012 DC's.
>> I'm trying to find the info in the SO files about this particular rule
> so i can try and understand more about why it's firing now but searching in
> the source, we only see a reference to that SID
> in so_rules/bad-traffic.rules but that's only the rule text itself, not
> anything in code that could help explain why it's firing.
>> As a side note, the domain it's firing on are espn.go.com or espn.com
>>> 0000000: d2 cd 01 00 00 01 00 00 00 00 00 00 04 65 73 70 6e 02 67 6f
> 03 63 6f 6d 00 00 .............espn.go.com..
> 000001A: 01 00 01
>>> 0000000: d6 d9 01 00 00 01 00 00 00 00 00 00 04 65 73 70 6e 03 63 6f
> 6d 00 00 01 00 01 .............espn.com.....
> 000001A:
>> Anyone else seeing this or having any ideas?
>>>> The person who actually wrote this rule is on vacation today. Let me
> defer until he gets back and have him answer.
>> --
> *Joel Esler*
> Open Source Manager
> Threat Intelligence Team Lead
> Vulnerability Research Team
>-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140417/43bd2f2f/attachment.html>